browser-use
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to manage its own Python environment and execute locally generated automation scripts. Evidence: SKILL.md contains shell instructions for python3 -m venv, pip install, and running scripts with python3 script_path.py.\n- [EXTERNAL_DOWNLOADS]: Fetches necessary Python packages and browser binaries from trusted public registries. Evidence: Downloads browser-use, playwright, and langchain-openai via pip, and Chromium binaries via playwright install chromium.\n- [DATA_EXFILTRATION]: Connecting to a real Chrome instance via CDP (Mode B) allows the agent to access the user's active cookies and sessions. While intended for automation, this sensitive data is transmitted to and processed by external LLM providers.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process arbitrary web content. \n
- Ingestion points: Web page DOM content and screenshots processed by the Agent (documented in SKILL.md and scripts/template.py). \n
- Boundary markers: Absent; the skill does not wrap the untrusted data in safety delimiters. \n
- Capability inventory: Local Python script execution, shell command access, and full browser control. \n
- Sanitization: Absent; the skill relies on the underlying library's internal safety measures and does not define explicit filters.
Audit Metadata